portaudit wishlist
Oliver Eikemeier
eikemeier at fillmore-labs.com
Tue Aug 17 12:16:48 PDT 2004
Ok, things that I think would be really useful (incomplete list):
- csh-style braces. When this is not the right syntax, this could be
done with
<optional>ja-</optional>bugzilla
or
<alternate><choice>ja-</choice><choice>kr-</choice></alternate>cups
but we have many slave ports which just differ in prefixes/suffixes, and
it would be easy to expand them when reading the file.
Yes, portaudit does linear searches. Besides, this will greatly diminish
the size of the database.
I'm even willing to sacrifice glob patterns `*' and `?' for that,
although they can be quite convenient sometimes.
- 1.* notation as the `smallest 1.x version possible'. 1.a is not the
smallest, besides it is not completely transparent why .a is chosen in
the range. When the `*' is the problem, this could be easily changed to
a random character, or even a <ger></ger> (greater equal range) tag (ok,
the name is silly), but I want to have some standard way like >= 1.* <
2.* to match all 1.x and nothing else. No, I don't think >= 1.a < 2.a is
good here.
- make `discovery' optional. It's a nice-to-have, but sometimes hard to
find out, and dummy entries like entry = discovery do not help anyone.
(ok, superseeded by another thread).
- make `description' optional. It is in the way of `quick' entries which
should be researched later. Of course it is acceptable to fill it with a
dummy value, but in this case it shouldn't be present IMHO and the dummy
value should be provided by the rendering code. Or will an empty tag do?
- make a `severity' field available. Of course it might be inaccurate,
and software might want to ignore it and provide it's own data. Yet it
is useful when you only have time for a quick glance (notify me
immediately of severe vulnerabilities, all others should only appear in
fridays report). It is a valuable guidance for the users, although I'm
aware it is very error-prone.
- add a classification into remote/local exploitable
- add a `fixed' field that lists a version where the vulnerability is
fixed. This could be used for a recommendation message, like "upgrade to
version xxx" or "no upgrade is available, please deinstall the port or
proceed with caution".
This could also realized as an alternate <lt> tag.
- Also we should add tags for the most popular references. Speaking of
references, I would prefer something like <bid num="10499">CVS Multiple
Vulnerabilities</bid>, which means they canbe rendered with a meaningful
line (but most not, so <bid num="10499"/> is legal too).
Ok, too many threads now. I have too look into this a little closer.
-Oliver
More information about the freebsd-vuxml
mailing list